[pve-devel] tap && veth interfaces on host have ipv6 allocated

Wolfgang Bumiller w.bumiller at proxmox.com
Wed Sep 28 08:38:38 CEST 2016


On Tue, Sep 27, 2016 at 03:11:50PM +0200, Wolfgang Bumiller wrote:
> On Tue, Sep 27, 2016 at 02:54:47PM +0200, Alexandre DERUMIER wrote:
> > Hi,
> > 
> > we have just notice during the training, 
> > that tap && veth interfaces on host have ipv6 addresses allocated.
> 
> See http://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#_avoiding_link_local_addresses_on_tap_and_veth_devices

I've been wondering whether there are any good uses for them. (I used
them a couple of times for testing when working on ipv6 initially but
have since had them disabled.)
So it's probably better to just remove them upon creation in
veth_create() and tap_create() (should be the only places where this
needs to happen).

They don't really *conflict* since the veth and tap devices don't use
the same MAC addresses on the host as they have in the guest. But if the
admin doesn't realize that VMs are essentially connected to the host via
link-local addresses this way it's easily possible to forget some
firewall rules. However, note that the bridge, too, has a link local
address they can connect to, which is just as easy to forget if you're
not used to it (and that one's needed for neighbor discovery).




More information about the pve-devel mailing list